Having setup one basic dns sec domain (my blog) I decided to do another this time it was a .com so what might have worked in the other is another exciting experience of will it or wont it.
So i recreate the zone, turn on dns sec muse on the records setup for a day and then switch over.. A first change is my dnssec setttings where the protocol used is that same but has a higher number might throw a spanner in the works but its new.
Since i know i need a ksk and a zsk (two records) i hopefuly should be a lot faster than i before.
Primarily i am doing this for tlsa records which for a good primer on try this (not here) The other domain a . eu has no tls, this . com has tls.
There are other ways to generate tlsa with
openssl x509 -in input.crt -outform DER | openssl sha256
But that gets your a hash not a tlsa record
_25._tcp.example.com. IN TLSA 3 1 1 largesequenceoflettersandnumbers
Anyhow so this image (left) should change to this (right)
The 3 1 1 are needed otherwise the dns record will be rejected.
The switch day arrives and unlike before my nameservers go straight over on a .com. However the dnssec keys are different rather than use a public key i can use keytag, and digest and digest type of which all have been provided by the dns provider which is very different to my experience with .eu.
These also stick however i have ds mismatch and a ttl mismatch of which i cant do anything about
But it mostly works bar those bugs appear not within my range of problem solving ability or power to resolve.
An interesting note to this is the keys (or digests) are not printed for .com registry in the whois, so it appears that the bugs i noted i cannot do anything about.
A day later and an experimental dane tlsa entry does not work which i can fix and that will be a blog post for another day. One tlsa record does work so its not all bad.
I am not convinced about sshfs records which i could do but i imagine theres a whole lot of wrong encryption in my setup although its very secure despite its ancient setup.
All good apparently. Reverse dnssec zones however are a mystery but something to think on and a topic for later